Paleohacks, the largest paleo diet & paleo recipes online community, has suffered a major data breach that originated from a cloud account the company was using to store the private data of its customers.

The breach was discovered by vpnMentor’s research team who revealed that Paleohacks had failed to implement basic security protocols. As a consequence, the personal details of over 70,000 customers and users have been leaked online, including names, email addresses, profile photos, and PII data. The victims are now subject to fraud, identity theft, hacking, and other types of cyberattacks.

paleohacks-hashed_credentials image heimdal security

Images Source: vpnMentor

The research team, led by Noam Rotem, said Paleohacks was using an Amazon Web Services (AWS) S3 bucket to store its customer data which is highly popular among businesses worldwide. Nevertheless, the multimedia online lifestyle brand failed to manually set up their data privacy protocols when creating the S3 bucket account. This misconfiguration left the entire content publicly exposed to anyone with the most basic hacking skills.

Paleohacks-usernames_descriptions image heimdal security

Image Source: vpnMentor

According to the researchers, some of the entries also contained password reset tokens for subscription and membership services. These tokens were protected via the BCRYPT hashing algorithm but it could still be possible for cybercriminals to abuse them.

Aside from PII data and personal information, some entries in the bucket also contained password reset tokens for account holders on Paleohacks’ subscription and membership products.

While the passwords were protected by the BCRYPT hashing algorithm (a sophisticated form of password encryption), a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account. Doing so would allow the hackers to take control of 1,000s of Paleohacks accounts and any additional data stored therein.

Source: vpnMentor

The breach was first discovered on February 4th, 2021, and although vpnMentor reached out to the vendor on February 7th, 9th, and March 17th, the company has ignored every attempt the team has made to help them close the vulnerability, telling them they’re “not interested”.

As a last resort, the team reached out to Amazon and the AWS S3 bucket was eventually secured.

At this point, it is unknown whether unauthorized parties accessed the bucket before it was secured against intrusion.

The research team advises customers concerned about how this breach might impact them to contact the Paleohacks directly to determine what steps it’s taking to protect their data.

Outspread SITA Security Breach Exposes More Airlines [Updated]

Cleaning and Catering Business Spotless Hit by a Severe Data Breach

533 Million Facebook Users’ Personal Data Leaked Online

700+ Million Email Addresses Leaked and Why it Matters to You

Leave a Reply

Your email address will not be published. Required fields are marked *